CN104272657A - Method and apparatus for providing tenant information for network flows - Google Patents
Method and apparatus for providing tenant information for network flows Download PDFInfo
- Publication number
- CN104272657A CN104272657A CN201380023083.XA CN201380023083A CN104272657A CN 104272657 A CN104272657 A CN 104272657A CN 201380023083 A CN201380023083 A CN 201380023083A CN 104272657 A CN104272657 A CN 104272657A
- Authority
- CN
- China
- Prior art keywords
- tenant
- record
- network
- virtual switch
- data record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/20—Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
Abstract
In one embodiment, a method includes generating at a network device comprising a virtual switch, a tenant record comprising tenant information for a context defined within the virtual switch, exporting the tenant record to a collector, monitoring network flow at the virtual switch, and exporting network flow data in a data record to the collector. The data record includes an identifier associating the data record with the context. An apparatus is also disclosed.
Description
Technical field
The disclosure relates in general to communication network, more specifically, relates to and provides the tenant in cloud computing multi-tenant environment information.
Background technology
Many enterprises and service provider client are setting up privately owned cloud or public cloud.Cloud computing makes network can access the shared pool of configurable resource, and wherein, the shared pool of configurable resource can be rapidly configured by minimum management work and issue.In many tenants model, the resource of provider is gathered in comes together as multiple customer service, and different physical resources and virtual resource are dynamically allocated according to customer demand and redistribute.In cloud computing, multi-tenant environment allows multiple client to use identical public cloud.In order to provide the network planning in multi-tenant environment and safety analysis, need to monitor flow based on every tenant and needs carry out derived data for each tenant.
Accompanying drawing explanation
Fig. 1 shows the example of network, can realize embodiment described herein in the network.
Fig. 2 shows and is creating during network virtualization covers the VLAN segmentation used.
Fig. 3 describes the example that can be used for the network equipment realizing embodiment described herein.
Fig. 4 is the flow chart of the general view that the process for providing tenant's information to network flow is shown according to an embodiment.
Run through each view of accompanying drawing, corresponding reference character indicates corresponding parts.
Embodiment
general introduction
In one embodiment, a kind of method generally includes: generate tenant's record at the network equipment place comprising virtual switch, this tenant records the tenant's information comprised for the situation defined in virtual switch (context); Tenant's record is exported to gatherer; At virtual switch place monitor network stream; And the network flow data in data record is exported to gatherer.This data record comprises identifier data record and situation being carried out associating.
In another embodiment, a kind of device generally includes processor, and this processor is used for: generate tenant's record, this tenant records the tenant's information comprised for the situation defined in virtual switch; This tenant record is exported to gatherer; At virtual switch place monitor network stream; And the network flow data in data record is exported to gatherer.This data record comprises identifier data record and situation being carried out associating.This device also comprises the memory for storing tenant's information.
example embodiment
The description provided below can manufacture to make one of those of ordinary skill in the art and use embodiment.The description of specific embodiment and application is only exemplarily provided, and for a person skilled in the art, various amendment will be apparent.General Principle described herein can be applied to other application when not deviating from the scope of these embodiments.Therefore, these embodiments are not limited to shown those, but are endowed the widest scope consistent with principle described herein and feature.For clearly object, the details relevant with technologic material known in the technical field relating to these embodiments is not described in detail.
Cloud computing provides resource and service, and these resources and service are extracted from underlying infrastructure and are provided on a large scale when needs.Cloud computing is admittedly had plenty of existence and has the multiple tenants using the extensive application of cloud infrastructure as required.Support to rent the important requirement become data center, especially under the situation of data center supporting virtualized server (being called as virtual machine) more.Multiple virtual machine shares hardware resource when non-interference, can run on a single computer to make some operating system and application simultaneously.
In cloud environment, even if in network layer, each tenant and application also need logically to be isolated from each other.In many tenants implementation, flow isolation is important, to make the flow of tenant and home address use invisible to other tenants, and does not conflict mutually with the address used in data center.Traditional VLAN isolation technology may be disposed for large-scale cloud and provide enough segmentations.In order to the segmentation providing cloud to dispose scale, virtual easily extensible local area network (LAN) (VXLAN) can be used to provide network virtualization to cover.Flow in network can be separated between multiple client based on the constant of such as segment identifiers (in the situation of VXLAN) or vlan identifier and so on.
In order to monitor the suitable service to identified connection or stream, preferably follow the tracks of each network flow in large-scale server deployment.The procotol of such as NetFlow and so on can be used to collect flow (network flow) information.NetFlow service providing network manager, these network managers can access the information flowed about IP (Internet protocol) in their data network.Derive netflow data can be used to various object, such as comprise: network management and planning, enterprise's charging, ISP (ISP) book keeping operation, data warehouse, prevent denial of service (DoS) attack and data mining.In order to enable (enable) NetFlow in multi-tenant environment, need monitor flow and derive flow based on every tenant.Netflow collector also should represent data based on every tenant.Therefore, netflow collector needs the information about the tenant be associated with other situations in VXLAN segmentation or virtualized environment.
Embodiment described herein allows monitor flow based on every tenant and derive flow information (such as, netflow data) based on every tenant.As mentioned above, flow is separated between the multiple clients using the situation defined by virtual exchange environment.In one embodiment, tenant's record (such as, option template) is used to derive the peculiar information of tenant based on VLAN segment identifiers (such as, VXLAN segmentation ID) or other constants.Tenant's record provides the details about the tenant be associated with situation, and tenant's record is exported to gatherer for identifying the tenant be associated with the flow data record received at gatherer place.Because tenant's information can't frequently change, therefore, tenant's record eliminates needs tenant's information be included in each flow data record.
Referring now to accompanying drawing, first with reference to Fig. 1, show the example of network, embodiment described herein can be realized in the network.For simplicity, depict only a small amount of network element.This network can be configured to the network being used as data center or any other types.As shown in Figure 1, physical switches 10 communicates with network 15 with the network equipment (server A, server B) 12.Such as, switch 10 can be the access switch carrying out with aggregation switch or edge switch (not shown) communicating.The physical switches 10 of the arbitrary number between server 12 and network 15 can be had.Such as, multiple switch 10 can be had to provide redundancy for the traffic flow between server 12 and network 15.Network 15 can comprise one or more network (such as, local area network (LAN), metropolitan area network, wide area network, virtual private networks, enterprise network, the Internet, in-house network, radio access network, PSN (Public Switching Network) or other networks arbitrarily).Network 15 can comprise the promotion arbitrary number of data by network or the network equipment (such as, router, switch, gateway or other network equipments) of any type.
Each server 12 comprises virtual switch (being called virtual ethernet module (VEM) herein) 14 and one or more virtual machine (VM) 16.Virtual machine 16 shares hardware resource in non-interfering situation, thus multiple operating system and application can be run on a single computer simultaneously.Hardware resource is dynamically distributed to virtual machine 16 by the monitor of virtual machine of such as hypervisor (not shown) and so on.Each server 12 can comprise the virtual machine 16 of arbitrary number, and these virtual machines can be moved between servers based on flow rate mode, hardware resource or other standards.Such as, server 12 can be that blade server, rack-mount server maybe can operate with the network equipment of any other types of hosts virtual machine 16.Such as, server 12 can hosts application server or remotely trustship use at end user device (terminal station, client device) (not shown) place virtual machine application.
Virtual machine 16 communicates with virtual switch 14 via virtual network interface card (VNIC), and VNIC is connected to the Virtual Ethernet at virtual switch place.Server 12 comprises the ethernet port for each physical network interface card.Ethernet port can be polymerized at port channel place.Virtual switch 14 communicates with network 15 via physics Ethernet interface.Virtual switch 14 is switching traffic between virtual machine 16 and physical network interface card.
Physical switches 10 also communicates with virtual hypervisor module (VSM) 18.VSM18 can be arranged in and carry out via physical switches 10 and server 12 physical unit that communicates, or VSM can be mounted in the virtual bench (such as, virtual machine) in server 12 or network on one of another server.VSM 18 is configured to as virtual machine 16 provides chain of command (plane) function.Virtual switch 14 provides exchange capacity at server 12 place, and operates as the data surface be associated with the chain of command of VSM 18.VSM 18 operates to be formed and carries out by management station's (not shown) the distributed virtual switch (DVS) checked together with virtual switch (VEM) 14.Such as, distributed virtual switch can be the cisco systems company available Nexus 1000V series of switch from San Jose.Such as, management station can comprise such as from the virtual management platform of the VMware of Palo Alto, California available VMware virtual center management station and so on.
Should be appreciated that to be example with distributed virtual switch described above shown in Fig. 1, and embodiment described herein can realize in other virtual switches.Term as used herein " virtual switch " can refer to distributed virtual switch (such as, VEM 14 and VSM18) or other virtual switches, these other virtual switches can operate switching traffic between other network equipments in the virtual machine or virtualized server environment at the network equipment (such as, physical switches, router, gateway) and server place.
As shown in Figure 1, network flow 21 is exchanged between subscriber equipment and server 12 by network 15.Stream 21 comprises a series of groupings with predicable, and these groupings are by the network equipment 12.Such as, stream can define based on source IP address, IP address, destination, IP agreement, source port and destination port.Each independent stream can be monitored, the statistics (such as, flowing time started and the grouping number etc. flowing the end time, be sent out) that each stream is safeguarded.
Stream is monitored by the VEM 14 of each server 12, and stream is stored in place's buffer memory (such as, NetFlow buffer memory) 24 of these servers.Each process line card of the VEM 14 at back-level server 12 place collects the stream statistics by the stream of line card.As mentioned above, distributed exporter model can be used directly to derive flow data from each VEM 14, or VEM 14 can by the transfer of data of accumulation in its buffer memory 24 to VSM 18, and VSM use single source exporter model to derive flow data.
In distributed exporter model, exporter 26 is arranged in VEM 14 (as Fig. 1 illustrates at server A place) place.Support that its oneself buffer memory 24 is directly exported to gatherer 20 by each line card of VEM 14, and limited being provided by VSM 18 for the Manager Feature of deriving is be provided.
In single source exporter model, stream statistics is stored in the buffer memory 24 at VEM 14 place, and is transferred to the exporter 26 (server B in FIG and VSM place illustrate) at VSM 18 place.When stream statistics derived by needs, data are routed to VSM18 by from VEM 14.Then flow data is exported to gatherer 20 by from VSM 18.
Derivation grouping is transferred to gatherer 20 by exporter 26.As described in detail later, derive grouping and comprise tenant's record (such as, template, option template) 25 and flow data record 28.Tenant records 25 and comprises for the tenant's information in the interior situation (such as, VLAN segmentation (VXLAN)) defined of virtual switch (such as, distributed virtual switch, multiple distributed virtual switch).
Tenant record 25 can stream beginning periodically, as required or its combination in any be exported to gatherer 20.Such as, tenant records 25 and in the grouping specified number or can be exported after the time period.Interval can be default value can be maybe configurable.
Tenant is recorded 25 and data record 28 export to gatherer 20 such as User Datagram Protoco (UDP) (UDP) or SCTP (SCTP) can be used to realize as transmission mechanism.
Gatherer (data collection facility) 20 receives data (tenant record 25, flow data record 28) from one or more exporter 26 and processes these data.Gatherer 20 receives and stores tenant and records 25 and flow data record 28.Stream record 28 (such as, according to tenant) can be aggregated before being stored in gatherer 20.Received once tenant records 25 by gatherer 20, then segmentation ID (or other identifiers) is used for the flow information received from exporter 26 to map to concrete tenant by gatherer.Such as, gatherer 20 can use tenant to record the information received in 25 to carry out decoded stream data record 28, and data record is mapped to tenant.The stream statistics being exported to gatherer 20 by exporter 26 is analyzed by analyzer 22.Analyzer 22 can process the network flow information used by application (such as, based on using charging, traffic engineering, attack/intrusion detection, quality of service monitor etc.).The statistics analyzed can by network manager for providing the information about network capacity and stream, and for solving any network defective.
In one embodiment, buffer memory 24, exporter 26 and gatherer 20 are NetFlow buffer memory, NetFlow exporter and netflow collector respectively.The term " NetFlow " that the application uses refers to the agreement of the feature for monitor network stream.Should be appreciated that this is example, and other agreements that such as Internet protocol stream information derives (IPFIX) and so on can be used to collect flow information and the feature of monitor network stream.The exporter 26 of arbitrary number or type, gatherer 20 or analyzer 22 can be used.In addition, gatherer 20 and analyzer 22 can be positioned at identical network equipment place.
Should be appreciated that to be example with network described herein shown in Fig. 1, and these embodiments can realize in the network with heterogeneous networks topology or the network equipment when not deviating from the scope of these embodiments.
As noted above, the example set forth in Fig. 1 comprises a small amount of network element.Infrastructure for service cloud computing environment can have a large amount of tenant, and each tenant has its oneself application.Each tenant needs the logical network of isolating with every other tenant.Each application from tenant also may need its oneself logical network so that itself and other application is isolated.In one embodiment, VXLAN segmentation is used to allow logical network to expand between the virtual machine being placed in the different second layer (Layer 2) territory.VXLAN provides the second layer on third layer (Layer 3) network to cover scheme.Each covering is called as VXLAN segmentation.The virtual machine 16 in identical VXLAN segmentation is only had to intercom mutually.VXLAN provides the second layer abstract to virtual machine 16, and no matter virtual machine 16 is positioned at where.Therefore, VXLAN segmentation is VXLAN second layer overlay network, and virtual machine 16 is communicated by this VXLAN second layer overlay network.
In one embodiment, each virtual machine 16 is assigned with an IP address, and when encapsulation MAC (media interviews control) frame is by when network 15 is sent out, this IP address is used as source IP address.VEM 14 encapsulates the second layer frame received from virtual machine 16.VXLAN identifier is carried in this encapsulation.The VXLAN connected can be designated in (below be described) port profile (profile), and be employed when virtual machine 16 is connected to network.
Identical VXLAN can be configured on one or more distributed virtual switch and cover to create network virtualization.Therefore, can have the multiple servers 12 supporting multiple virtual machine 16, these virtual machines 16 comprise the one or more interfaces be associated with VLAN or the VLAN segmentation of (as shown in Figure 2 and below described by) heterogeneous networks position separately.Such as, client or business unit are (such as, research and development, company, finance) different VXLAN segmentations can be assigned with, these VXLAN segmentations are used in the various positions (such as, Los Angeles Division, San Francisco general headquarters, Seattle branch) of carrying out with data center communicating.Tenant records 25 and is used to provide the details about the tenant relevant with VXLAN segmentation.This allows gatherer 20 to represent flow data based on every tenant.
Fig. 2 illustrates the VXLAN segmentation that virtual switch 14 place covers for network virtualization.In the illustrated example shown in fig. 2, virtual machine 16 comprises the interface be associated with VLAN 44, VXLAN 4400 and VXLAN4401.Use the client of different segmentation or apply mutually isolated.Such as, the client being used in the virtual machine 16 VLAN 44 and VXLAN 4400 with interface directly can not access the server at the virtual machine place on VXLAN 4401 with interface.
Should be appreciated that above-mentioned VLAN fragmentation technique is example, and tenant can be associated with another situation defined in virtual exchange environment.
Referring again to Fig. 1, distributed virtual switch place (such as, VEM 14 place or VSM 18 place) exporter 26 derive tenant and record 25, tenant records 25 and is used to provide tenant peculiar information based on situation identifier (such as, the segmentation ID of VXLAN or other constants).Tenant record 25 be sent to gatherer 20 after, exporter 26 sends the flow information in flow data record 28.Flow data record 28 comprises the stream statistics and situation ID that are associated with stream.Gatherer 20 be used in tenant record in 25 obtain information stream record is mapped to concrete tenant.
As described below, tenant records 25 and comprises identifier (such as, VXLAN ID (24 lan segment identifiers), VLAN ID or other situation ID), this identifier is also included in flow data record 28 so that flow data is mapped to concrete tenant.In one embodiment, in port profile, this identifier is defined.Port profile is used to define the container for the total group configuration strategy (attribute) of multiple interface.Port profile is associated with port arrangement strategy, and these port arrangement strategies are defined by network manager, and is automatically applied to a large amount of port when these port arrangement strategies are reached the standard grade in virtual environment.Port profile allows single strategy or identifier to be applied on a large amount of port, and supports the static mappings to port and dynamic mapping.
Tenant records 25 and such as can comprise: segmentation ID, tenant's Name and Description, position, distributed virtual switch identifier (title, position) and bridge domain.Tenant records 25 and can also be used to provide such as about the additional information of the details and so on of interface index (such as, interface name, interface describe), or definition is for the data format of the one or more data record flowed in the data record that sends.Preferably generate different tenant for different situation and record 25.Such as, each tenant records 25 and can be associated from different VXLAN segmentation.Such as, tenant records 25 and can be transmitted in NetFlow grouping, and this NetFlow grouping comprises packet header and comprises one or more fields of one or more tenant record.This grouping can also comprise one or more flow data record 28.
In one embodiment, tenant records 25 is NetFlow template or option template.Be to be understood that, term as used herein " template " can refer to can transfer to gatherer 20 to provide the peculiar information of tenant and the arbitrary data collection that can be transmitted with any suitable format (data such as, in one or more grouping field) from exporter 26.
When determining stream end or at periodic intervals place, flow data record 28 can be exported.Stream record 28 comprises about to the information of the flow in constant current, such as comprise: the measurement attribute of stream (such as, grouping and byte count are (such as, the sum of the byte of the grouping of all stream)), the characteristic attribute (such as, source IP address, agreement, COS, application port, input and output interface) of timestamp and stream.More specifically, flow data record 28 such as can comprise: viewed byte number and grouping number, third layer head (source IP address and IP address, destination, source port number and destination port numbers, IP agreement) and third layer routing iinformation in the timestamp of situation identifier, input interface index, output interface index, stream time started and end time, stream.
In one embodiment, tenant record 25 and flow data record 28 NetFlow derive grouping in be exported.Derive that grouping comprises that packet header (comprising grouping information) and one or more tenant record 25, one or more data record 28 or its combine.Such as, derive grouping can comprise and record the collection of 28 or the collection (be called adfluxion close (flowset)) of convection current record 25 to tenant.
Should be appreciated that tenant described above records 25 and the content of flow data record 28 and form is example, and these records can comprise more, less or different information when not deviating from the scope of these embodiments.
Fig. 3 illustrates the example of the network equipment 30 (such as, server, device) that may be used for the embodiment realized described by the application.In one embodiment, the network equipment 30 is the programmable machines that can realize in hardware, software or its combination in any.The network equipment 30 comprises one or more processor 32, memory 34, network interface 36 and exporter 26.
Exporter 26 comprises tenant and records maker and data record generator (such as, can operate to generate the logic that tenant records 25 and flow data record 28).Exporter 26 such as can comprise: fixed logic or FPGA (Field Programmable Gate Array) (software/computer instruction such as, performed by processor 32).
Memory 34 can be store various application, operating system, module and data perform for processor 32 and the volatile memory that uses or non-volatile memory device.Such as, memory 34 can store exporter processing logic.
Logic can be coded in one or more tangible medium and perform for processor 32.Such as, processor 32 can perform the code in the computer-readable medium being stored in such as memory 34 and so on.Such as, computer-readable medium can be such as electronic media (such as, RAM (random access memory), ROM (read-only memory), EPROM (Erasable Programmable Read Only Memory EPROM)), magnetizing mediums, light medium (such as, CD, DVD), electromagnetic medium, semiconductor technology medium or other suitable media arbitrarily.
Network interface 36 can comprise for receiving data or sending data to the interface (such as, line card, network interface unit, port) of arbitrary number of other equipment.
To should be appreciated that shown in Fig. 3 and the network equipment 30 described above is example, and the difference of the network equipment can be used to configure.Such as, the network equipment 30 can also comprise the combination that hardware, software, algorithm, processor, equipment, parts maybe can operate any appropriate of the element promoting ability described herein.
Fig. 4 is the flow chart that the process for providing tenant's information to network flow is shown according to an embodiment.In step 40 place, exporter 26 generates tenant for each VXLAN segmentation or other situations of defining in virtual machine and records 25.As previously mentioned, for example, tenant records 25 and comprises the peculiar information of tenant based on segmentation ID.As described in reference to Figure 1, exporter 26 operates at distributed virtual switch place, and can be positioned at server 12 (at virtual switch 14 place) or device 18 (at virtual manager module place) place.Tenant records 25 and is exported to gatherer 20 (step 42).Distributed virtual switch monitor network stream, and collect the network flow data (step 44) by the network flow of the network equipment.Such as, monitoring can comprise the network flow at monitoring VEM 14 place or collect the network flow data at VSM 18 place.Can flow into due to stream or flow out the network equipment, therefore, safeguarding statistics for inflow flow or outflow flow.Network flow information (step 46) in network equipment derived data record 28.
Data record 28 comprises identifier data record and situation being carried out associating.As mentioned above, identifier such as can comprise segmentation ID data record 28 and VXLAN segmentation being carried out associating.The tenant comprising same segment ID records tenant's specifying information that 25 provide this VXLAN segmentation.For example, network flow information can as network flow record packed enter grouping in transmit.Data flow record 28 can be transmitted at the end of network flow or at periodic intervals place.Gatherer 20 is used in tenant and records the information received in 25 and associated with tenant by the flow data received in data record 28.
Should be appreciated that to be example with above-described process shown in Fig. 4, and can increase, revise or rearrange these steps when not deviating from the scope of embodiment.Such as, tenant records 25 can until the network equipment have collected at least some network flow information is just exported to gatherer 20, or tenant records 25 and can be transmitted together with data record 28.
Although describe methods, devices and systems according to shown embodiment, one of those of ordinary skill in the art can make change when not deviating from these embodiments by being easy to recognize.Therefore, what specification above comprised should be interpreted as on illustrative instead of limited significance with all things shown in accompanying drawing.
Claims (20)
1. a method, comprising:
Generate tenant's record at the network equipment place comprising virtual switch, described tenant records the tenant's information comprised for the situation defined in described virtual switch;
Described tenant's record is exported to gatherer;
At described virtual switch place monitor network stream; And
Network flow data in data record is exported to described gatherer;
Wherein, described data record comprises the identifier described data record and described situation being carried out associating.
2. the method for claim 1, wherein described situation comprises VLAN segmentation.
3. the method for claim 1, wherein described tenant's record comprises network flow option template.
4. the method for claim 1, wherein described tenant's record is configured to use at described gatherer place described data record to be mapped to the tenant be associated with described situation.
5. the method for claim 1, wherein described identifier comprises virtual easily extensible local network segment identifier.
6. the method for claim 1, wherein described tenant's record comprises tenant identifier.
7. the method for claim 1, wherein described tenant's record comprises described network equipment position in a network.
8. the method for claim 1, wherein described virtual switch comprises distributed virtual switch, and described tenant record comprises distributed virtual switch identifier.
9. the method for claim 1, wherein derive described tenant record and derive described data record and comprise use NetFlow agreement.
10. a device, comprising:
Processor, described processor is used for: generate tenant's record, described tenant records the tenant's information comprised for the situation defined in virtual switch; Described tenant's record is exported to gatherer; At described virtual switch place monitor network stream; And the network flow data in data record is exported to described gatherer; And
Memory, described memory is for storing described tenant's information;
Wherein, described data record comprises the identifier described data record and described situation being carried out associating.
11. devices as claimed in claim 10, wherein, described situation comprises VLAN segmentation.
12. device as claimed in claim 10, wherein, described tenant's record comprises network flow option template.
13. devices as claimed in claim 10, wherein, described tenant's record is configured to use at described gatherer place described data record to be mapped to the tenant be associated with described situation.
14. devices as claimed in claim 10, wherein, described identifier comprises virtual easily extensible local network segment identifier.
15. devices as claimed in claim 10, wherein, described tenant's record comprises tenant identifier.
16. devices as claimed in claim 10, wherein, described tenant records the position comprised in a network.
17. devices as claimed in claim 10, wherein, described virtual switch comprises distributed virtual switch, and described tenant record comprises distributed virtual switch identifier.
18. devices as claimed in claim 10, wherein, described tenant's record and described data record are used NetFlow agreement to derive.
19. 1 kinds of logics be coded in for execution on one or more tangible computer computer-readable recording medium, can operate when described logic is performed to perform following operation:
Generate tenant's record at the network equipment place comprising virtual switch, described tenant records the tenant's information comprised for the situation defined in described virtual switch;
Described tenant's record is exported to gatherer;
At described virtual switch place monitor network stream; And
Network flow data in data record is exported to described gatherer;
Wherein, described data record comprises the identifier described data record and described situation being carried out associating.
20. logics as claimed in claim 19, wherein said situation comprises VLAN segmentation.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/461,667 US9407450B2 (en) | 2012-05-01 | 2012-05-01 | Method and apparatus for providing tenant information for network flows |
US13/461,667 | 2012-05-01 | ||
PCT/US2013/038072 WO2013165785A1 (en) | 2012-05-01 | 2013-04-24 | Method and apparatus for providing tenant information for network flows |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104272657A true CN104272657A (en) | 2015-01-07 |
CN104272657B CN104272657B (en) | 2018-03-27 |
Family
ID=48289691
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201380023083.XA Active CN104272657B (en) | 2012-05-01 | 2013-04-24 | Method and apparatus for providing from tenant's information to network flow |
Country Status (4)
Country | Link |
---|---|
US (1) | US9407450B2 (en) |
EP (1) | EP2845350B1 (en) |
CN (1) | CN104272657B (en) |
WO (1) | WO2013165785A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106330602A (en) * | 2016-08-22 | 2017-01-11 | 中国科学院信息工程研究所 | Method and system for monitoring cloud computing virtual tenant network |
CN106603346A (en) * | 2017-02-07 | 2017-04-26 | 佛山易识科技有限公司 | Network quality testing tool based on virtual extensible LAN |
CN110945838A (en) * | 2017-07-24 | 2020-03-31 | 思科技术公司 | System and method for providing scalable flow monitoring in a data center structure |
Families Citing this family (56)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8250357B2 (en) | 2000-09-13 | 2012-08-21 | Fortinet, Inc. | Tunnel interface for securing traffic over a network |
US7720095B2 (en) | 2003-08-27 | 2010-05-18 | Fortinet, Inc. | Heterogeneous media packet bridging |
US8775599B2 (en) | 2012-06-19 | 2014-07-08 | Microsoft Corporation | Multi-tenant middleware cloud service technology |
US9210079B2 (en) | 2012-08-14 | 2015-12-08 | Vmware, Inc. | Method and system for virtual and physical network integration |
US9008085B2 (en) * | 2012-08-15 | 2015-04-14 | International Business Machines Corporation | Network interface card having overlay gateway functionality |
US10511497B2 (en) | 2012-10-04 | 2019-12-17 | Fortinet, Inc. | System and method for dynamic management of network device data |
US9049115B2 (en) * | 2012-12-13 | 2015-06-02 | Cisco Technology, Inc. | Enabling virtual workloads using overlay technologies to interoperate with physical network services |
US10355930B2 (en) * | 2013-03-14 | 2019-07-16 | Fortinet, Inc. | System and method of subnetting a virtual network identifier |
US9407519B2 (en) * | 2013-03-15 | 2016-08-02 | Vmware, Inc. | Virtual network flow monitoring |
US9910686B2 (en) | 2013-10-13 | 2018-03-06 | Nicira, Inc. | Bridging between network segments with a logical router |
US9300580B2 (en) | 2013-12-19 | 2016-03-29 | International Business Machines Corporation | Virtual machine network controller |
US9794128B2 (en) * | 2013-12-30 | 2017-10-17 | International Business Machines Corporation | Overlay network movement operations |
US9893988B2 (en) | 2014-03-27 | 2018-02-13 | Nicira, Inc. | Address resolution using multiple designated instances of a logical router |
US10177936B2 (en) | 2014-03-28 | 2019-01-08 | International Business Machines Corporation | Quality of service (QoS) for multi-tenant-aware overlay virtual networks |
US9893964B2 (en) * | 2014-04-28 | 2018-02-13 | Nicira, Inc. | System for aggregating statistics relating to a logical forwarding element |
US9893983B2 (en) | 2014-04-28 | 2018-02-13 | Nicira, Inc. | Network virtualization operations using a scalable statistics collection framework |
US9515931B2 (en) | 2014-05-30 | 2016-12-06 | International Business Machines Corporation | Virtual network data control with network interface card |
US9515933B2 (en) * | 2014-05-30 | 2016-12-06 | International Business Machines Corporation | Virtual network data control with network interface card |
US9742881B2 (en) | 2014-06-30 | 2017-08-22 | Nicira, Inc. | Network virtualization using just-in-time distributed capability for classification encoding |
US10079694B2 (en) * | 2014-08-29 | 2018-09-18 | Nokia Of America Corporation | Scalable virtual networks in SDN-based ethernet networks using VLANs |
US10250443B2 (en) | 2014-09-30 | 2019-04-02 | Nicira, Inc. | Using physical location to modify behavior of a distributed virtual network element |
US10511458B2 (en) | 2014-09-30 | 2019-12-17 | Nicira, Inc. | Virtual distributed bridging |
US9954736B2 (en) | 2014-12-01 | 2018-04-24 | Fortinet, Inc. | System and method of discovering paths in a network |
US10193783B2 (en) | 2014-12-31 | 2019-01-29 | Nicira, Inc. | System for aggregating statistics associated with interfaces |
US10628388B2 (en) | 2015-04-01 | 2020-04-21 | International Business Machines Corporation | Supporting multi-tenant applications on a shared database using pre-defined attributes |
US10361952B2 (en) | 2015-06-30 | 2019-07-23 | Nicira, Inc. | Intermediate logical interfaces in a virtual distributed router environment |
US9979557B2 (en) * | 2015-08-10 | 2018-05-22 | Hughes Network Systems, Llc | Carrier grade Ethernet layer 2 over layer 3 satellite backbones (L2oL3SB) |
US9967178B1 (en) * | 2015-12-15 | 2018-05-08 | Juniper Networks, Inc. | Flow record size reduction |
CN105791142B (en) * | 2016-03-10 | 2019-03-26 | 盛科网络(苏州)有限公司 | A kind of labeling method of TAP message |
WO2017155545A1 (en) * | 2016-03-11 | 2017-09-14 | Tektronix Texas, Llc. | Timestamping data received by monitoring system in nfv |
WO2017173142A1 (en) * | 2016-03-31 | 2017-10-05 | Alibaba Group Holding Limited | Interworking between physical network and virtual network |
US10193749B2 (en) | 2016-08-27 | 2019-01-29 | Nicira, Inc. | Managed forwarding element executing in public cloud data compute node without overlay network |
US10333959B2 (en) | 2016-08-31 | 2019-06-25 | Nicira, Inc. | Use of public cloud inventory tags to configure data compute node for logical network |
US10491516B2 (en) | 2017-08-24 | 2019-11-26 | Nicira, Inc. | Packet communication between logical networks and public cloud service providers native networks using a single network interface and a single routing table |
US10567482B2 (en) | 2017-08-24 | 2020-02-18 | Nicira, Inc. | Accessing endpoints in logical networks and public cloud service providers native networks using a single network interface and a single routing table |
US10778579B2 (en) | 2017-08-27 | 2020-09-15 | Nicira, Inc. | Performing in-line service in public cloud |
US10374827B2 (en) | 2017-11-14 | 2019-08-06 | Nicira, Inc. | Identifier that maps to different networks at different datacenters |
US10511459B2 (en) | 2017-11-14 | 2019-12-17 | Nicira, Inc. | Selection of managed forwarding element for bridge spanning multiple datacenters |
US10601705B2 (en) | 2017-12-04 | 2020-03-24 | Nicira, Inc. | Failover of centralized routers in public cloud logical networks |
US10862753B2 (en) | 2017-12-04 | 2020-12-08 | Nicira, Inc. | High availability for stateful services in public cloud logical networks |
US11296960B2 (en) | 2018-03-08 | 2022-04-05 | Nicira, Inc. | Monitoring distributed applications |
US11343229B2 (en) | 2018-06-28 | 2022-05-24 | Vmware, Inc. | Managed forwarding element detecting invalid packet addresses |
US10938685B2 (en) * | 2018-07-24 | 2021-03-02 | Cisco Technology, Inc. | Secure traffic visibility and analytics for encrypted traffic |
US11196591B2 (en) | 2018-08-24 | 2021-12-07 | Vmware, Inc. | Centralized overlay gateway in public cloud |
US11374794B2 (en) | 2018-08-24 | 2022-06-28 | Vmware, Inc. | Transitive routing in public cloud |
US10491466B1 (en) | 2018-08-24 | 2019-11-26 | Vmware, Inc. | Intelligent use of peering in public cloud |
US11743135B2 (en) | 2019-07-23 | 2023-08-29 | Vmware, Inc. | Presenting data regarding grouped flows |
US11340931B2 (en) | 2019-07-23 | 2022-05-24 | Vmware, Inc. | Recommendation generation based on selection of selectable elements of visual representation |
US11349876B2 (en) | 2019-07-23 | 2022-05-31 | Vmware, Inc. | Security policy recommendation generation |
US11436075B2 (en) | 2019-07-23 | 2022-09-06 | Vmware, Inc. | Offloading anomaly detection from server to host |
US11398987B2 (en) | 2019-07-23 | 2022-07-26 | Vmware, Inc. | Host-based flow aggregation |
US11288256B2 (en) | 2019-07-23 | 2022-03-29 | Vmware, Inc. | Dynamically providing keys to host for flow aggregation |
US11321213B2 (en) | 2020-01-16 | 2022-05-03 | Vmware, Inc. | Correlation key used to correlate flow and con text data |
US11785032B2 (en) | 2021-01-22 | 2023-10-10 | Vmware, Inc. | Security threat detection based on network flow analysis |
US11831667B2 (en) | 2021-07-09 | 2023-11-28 | Vmware, Inc. | Identification of time-ordered sets of connections to identify threats to a datacenter |
US11792151B2 (en) | 2021-10-21 | 2023-10-17 | Vmware, Inc. | Detection of threats based on responses to name resolution requests |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101510843A (en) * | 2009-02-24 | 2009-08-19 | 陈鸣 | Method for real time separation of P2P flow based on NetFlow flow |
US20100054151A1 (en) * | 2008-08-26 | 2010-03-04 | International Business Machines Corporation | System and method for network flow traffic rate encoding |
US20100188976A1 (en) * | 2009-01-26 | 2010-07-29 | Rahman Shahriar I | Dynamic Management of Network Flows |
CN102142971A (en) * | 2010-01-29 | 2011-08-03 | 新奥特(北京)视频技术有限公司 | Monitoring system and monitoring method for realizing subscription-collection mechanism |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7636305B1 (en) | 2005-06-17 | 2009-12-22 | Cisco Technology, Inc. | Method and apparatus for monitoring network traffic |
US8156233B2 (en) | 2007-04-06 | 2012-04-10 | Cisco Technology, Inc. | Streaming of templates and data records in individual streams using a multistream protocol |
US7787379B2 (en) | 2008-06-03 | 2010-08-31 | Cisco Technology, Inc. | Integrated flow control |
US8345692B2 (en) | 2010-04-27 | 2013-01-01 | Cisco Technology, Inc. | Virtual switching overlay for cloud computing |
-
2012
- 2012-05-01 US US13/461,667 patent/US9407450B2/en active Active
-
2013
- 2013-04-24 EP EP13720709.8A patent/EP2845350B1/en active Active
- 2013-04-24 WO PCT/US2013/038072 patent/WO2013165785A1/en active Application Filing
- 2013-04-24 CN CN201380023083.XA patent/CN104272657B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100054151A1 (en) * | 2008-08-26 | 2010-03-04 | International Business Machines Corporation | System and method for network flow traffic rate encoding |
US20100188976A1 (en) * | 2009-01-26 | 2010-07-29 | Rahman Shahriar I | Dynamic Management of Network Flows |
CN101510843A (en) * | 2009-02-24 | 2009-08-19 | 陈鸣 | Method for real time separation of P2P flow based on NetFlow flow |
CN102142971A (en) * | 2010-01-29 | 2011-08-03 | 新奥特(北京)视频技术有限公司 | Monitoring system and monitoring method for realizing subscription-collection mechanism |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106330602A (en) * | 2016-08-22 | 2017-01-11 | 中国科学院信息工程研究所 | Method and system for monitoring cloud computing virtual tenant network |
CN106330602B (en) * | 2016-08-22 | 2019-10-25 | 中国科学院信息工程研究所 | A kind of virtual tenant network monitoring method of cloud computing and system |
CN106603346A (en) * | 2017-02-07 | 2017-04-26 | 佛山易识科技有限公司 | Network quality testing tool based on virtual extensible LAN |
CN110945838A (en) * | 2017-07-24 | 2020-03-31 | 思科技术公司 | System and method for providing scalable flow monitoring in a data center structure |
CN110945838B (en) * | 2017-07-24 | 2023-01-13 | 思科技术公司 | System and method for providing scalable flow monitoring in a data center structure |
Also Published As
Publication number | Publication date |
---|---|
EP2845350A1 (en) | 2015-03-11 |
WO2013165785A1 (en) | 2013-11-07 |
CN104272657B (en) | 2018-03-27 |
EP2845350B1 (en) | 2019-07-17 |
US20130297768A1 (en) | 2013-11-07 |
US9407450B2 (en) | 2016-08-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104272657A (en) | Method and apparatus for providing tenant information for network flows | |
CN104253770B (en) | Realize the method and apparatus of the distributed virtual switch system | |
CN107852365B (en) | Method and apparatus for dynamic VPN policy model | |
US9658876B2 (en) | Location-aware virtual service provisioning in a hybrid cloud environment | |
CN109561108B (en) | Policy-based container network resource isolation control method | |
CN104718723B (en) | For the networking in virtual network and the frame of security service | |
CN105684365B (en) | Network control of network functions using software defined flow mapping and virtualization | |
KR101718374B1 (en) | Network function virtualization for a network device | |
CN102255903B (en) | Safety isolation method for virtual network and physical network of cloud computing | |
CN102082690B (en) | Passive finding equipment and method of network topology | |
CN103930882B (en) | The network architecture with middleboxes | |
US11178594B2 (en) | Systems and methods for routing data | |
WO2018157299A1 (en) | Virtualization method for optical line terminal (olt) device, and related device | |
EP3823211A1 (en) | Network slice control method and apparatus, and computer readable storage medium | |
US20120063363A1 (en) | Method to Pass Virtual Local Area Network Information in Virtual Station Interface Discovery and Configuration Protocol | |
CN105391815B (en) | internet IP address resource acquisition and centralized management method | |
CN102821023B (en) | A kind of method and device of VLAN configuration dynamic migration | |
CN105429870A (en) | VXLAN security gateway device and application method thereof in SDN | |
CN113867884B (en) | Method and system for computer network and storage medium | |
CN103973673B (en) | The method and apparatus for dividing virtual firewall | |
CN106155264A (en) | The computer approach of the power consumption of management storage subsystem and computer system | |
CN106055067A (en) | Server system and method for enhancing memory error tolerance of server system | |
CN112956158A (en) | Structured data plane monitoring | |
CN110191042B (en) | Message forwarding method and device | |
US9755854B2 (en) | Tag conversion apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |